Uncovering SOC 2 compliance in 5 minutes

There’s a world of cyber-threats and potential data management problems out there. But the good news is that there is an even more intricate world of compliance measures, guides, and goals to help you stay away from the Big Bad Cyber-Wolf, keep your data (and your customers’ data) secure, and, overall, go with business as usual as safely as possible. SOC 2 is one of the most common compliance goals – and if you handle customer data in the cloud (which you probably do if you run a SaaS), you might want to learn what SOC 2 means, how it works, and whether or not you need to aim for it.

SOC 2 stands for "System and Organization Control" and it’s a category of security reports that applies to all companies that hold customer data in the cloud. Developed by AICPA (American Institute of CPAs), SOC 2 consists of guidelines (also known as "Trust Services Criteria") meant to help businesses stay on the safe side when it comes to keeping data secure.

In short, SOC 2 compliance is all about ensuring that your company is handling customer data in a secure and responsible manner. In plain English, if you handle customer data in the cloud directly, your business should get a SOC 2 audit, generate a report based on that, and then share it with stakeholders to demonstrate you are doing things the right way (i.e. the cyber-secure way).

Before 2014, vendors and businesses only had to meet the requirements of SOC 1. But as the world became increasingly more complex, SOC requirements had to change and so, AICPA "upgraded" their System and Organization Control reports to SOC 2.

In general terms, SOC 2 is considered to be a type of technical audit. However, security professionals know that SOC goes beyond that, precisely because companies that need a SOC certificate have to implement sturdy information security processes and procedures.

SOC reports are unique to each organization because it adapts to the specific needs of each business, enabling leadership to design controls that follow one, multiple, or all principles of trust. Nota bene! That’s not necessarily the case with other types of certifications in the same area (such as the PCI DSS Certification, for example).

Before we dive deeper into SOC 2 and the details that comprise it, we have to make a pitstop and make an important distinction: that of privacy vs confidentiality. In short, privacy requirements such as GDPR and CCPA are legal requirements businesses have to meet in regard to customer data. These requirements protect all the citizens in the specific area defined by these regulations (i.e. the EU and California).

In the United States, however, data privacy compliance takes a sectoral and industry-based approach. This means that regulations may apply to just some industries or types of data. Which is precisely why AICPA makes a distinction between privacy (when a company directly handles customer data) and confidentiality (when a company handles customer data through another company - such as B2B data sharing).

SOC 2 applies to privacy criteria. In other words, you can get a SOC 2 certificate if you handle customer data directly, provided you meet all the audit criteria to generate a positive report.

SOC 2 is important because it’s a gold standard for data security. As a business, you want to be able to say that you meet or exceed the highest possible standards in order to instill trust in your customers and stakeholders.

Yes, SOC 2 audits aren’t easy and they require significant investments in terms of time and resources. But then again, compliance and data security aren’t easy -- so you might as well go with a clear standard like SOC 2.

As mentioned above, the Trust Services Criteria (TSC) are the foundations of whether or not an external auditor will grant you a SOC 2 certification. To get there, you have to comply with one or more out of the five trust principles, as showcased by your processes and procedures.

The SOC 2 trust principles are described as follows:

1. Security (which refers to how you protect your organizations' data from unauthorized access through tools like firewalls, two-factor authentication, and so on.). 
2. Availability (which refers to the accessibility of the system through the measuring of the network availability, security incident handling, and so on.)
3. Processing Integrity (which refers to the accuracy and completeness of data, as well as the prevention of unauthorized changes to information.)
4. Confidentiality (which refers to safeguarding of data and making it available only to a clear, stipulated, and specific set of business entities or persons.) 
5. Privacy (which refers to how your company collects, uses, retains, discloses, and disposes of Personal Identifiable Information.)

Absolutely. Our security solutions follow the SOC 2 principles, so as not to interfere with you obtaining your System and Organization Control certificate. 

More specifically, we: 

• Provide you with full access control over every user role;  
• Encrypt data at rest (disks are encrypted), in transit (via TLS) and in a transparent way (database files themselves are encrypted); 
• Offer two-factor authentication options (through both Microsoft and Google); 
• Enable you to set up your own networking and firewall rules; 
• Make sure our own software goes through thorough development and quality assurance processes; 
• Use high-quality software (Prometheus) to gather both business and system metrics for you, the customer, to analyze; 
• Gather high-quality metric data to measure monitor our clusters (also through Prometheus); 
• Provide you with custom backup and restore setup options; 
• Offer intrusion detection alert options to help you react in a timely manner if a situation arises. 

Through all these measures, we help organizations stay compliant in terms of how they communicate across the business. SOC 2 certification will pose no challenge for your communication security with Worldr. 

If you have decided to pursue a SOC 2 certification, you should also know there are two types of SOC 2 reports auditors can provide you:

Type I SOC 2 Report

This type of SOC 2 report is usually requested by first-time audited companies. It describes the organization’s systems and whether the system design complies with the relevant trust principles (one, two or all five of them). This report attests the service controls at a specific point in time.

Type II SOC 2 Report

This type of SOC 2 report goes into more detail in regard to the operational efficiency of the system design. This report will attest the service controls of the audited company for a minimum of six months.

Of course, SOC 2 auditing and certification are much larger subjects than a few short bullet points. A few key takeaways include:

• Establish processes that help you monitor known…and unknown threats. As we were mentioning in the beginning, there’s a myriad of them out there and you need to be prepared for anything that may come your way.
• Create a process that helps your team sound the alarm only when the activity deviates from the norm and is unlikely to be a false positive.
• Build audit trails, because sometimes, no matter how prepared you are, anomalies will still happen. And when that day comes, you want to make sure you go to the root cause of the problem, eliminate it, and establish procedures that help you prevent it in the future.
• Showcase your tools and actionable data. Your customers, business partners, and stakeholders want to know that you can take action when needed. Show them you will base this action on actual actionable data.

In one word - yes.

If you handle customer data directly (not through a service like Amazon AWS, for example), a SOC 2 certification will help you build trust with your customers and stakeholders.

We can’t say it’s an easy process as it takes a lot of time and resources, but in the end it will be worth it.